False positive ASM block

Question

ASM security policy blocking the request as it is detecting an attack in the content.ASM is blocking because of cross site scripting attack. Subscriber names are coming in HTTP request. eg.Shelly. ASM is detecting as it as "shell" and blocking the request. Details of attack are violation as url shell parameter and attack cross site scripting. Is there any way to exclude these parameters(url, shell)
We don't want to disable whole XSS signature attack.&nbsp;

cory_50405 · Answer

Yep.  Navigate to Application Security -&gt; Parameters -&gt; Parameters List and then select the policy you wish to edit.  Create a new parameter, name it appropriately, and set it to a user-input value.  Then at the bottom, click the attack signatures tab and select the signature that is incorrectly firing on the parameter and move it over to the overriden security policy settings pane.  Ensure the dropdown for this signature says disabled.&nbsp;
This will disable the attack signature only for the specific parameter.&nbsp;

Forum Discussion

False positive ASM block

1 Reply

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Profile ssl server using pass phrase

error code 503 redirect irule

AST Configuration Assistance

F5OS VLAN naming length restrictions

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Related Content

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

Separating False Positives from Legitimate Violations

Handle False Positive for files upload

CMS causing False Positives

Attack Signature False Positive Mode

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS